[solved] Malware attack on prestashop installation

[kingdompaul]

Hello all,

 

Please i need help. I keep getting malware attacks on an online shop i developed using prestashop web app. Google keeps blacklisted it. i have deleted, re-installed, but the issue persists. is this a general issue or i need to so something. Thanks in anticipation. of your help.

[vekia]

Hello all,

 

Please i need help. I keep getting malware attacks on an online shop i developed using prestashop web app. Google keeps blacklisted it. i have deleted, re-installed, but the issue persists. is this a general issue or i need to so something. Thanks in anticipation. of your help.

 

you must be more specific, what do you mean by malware attacks?

you must explain this issue, because on the moment we don't know anything about it

[Dh42]

More than likely you need to change your ftp login and password. Also are you running wordpress on the same domain / database?

[kingdompaul]

Thanks all.

@vekia; i mean i have installed prestashop a couple of times online using my domain and hosting and shortly afterwards google would put a blacklist on it. i observed malicious code being injected into some files like index, many times, i will delete the installation but the same thing still happens.

 

@dh42, no, am not running wordpress on the domain/database except that i have a hosting platform where i hosted wordpress and other cms, but there is no report of malware attack on the wordpress install.

[Dh42]

Change everything. Change your sql password and user name, ftp user name and password. What version of ps are you running? I would fare to guess that it is not related to ps so much as someone got your password to your domain. Also make sure the permissions are set correctly on your files.

[kingdompaul]

Thanks Dh42, i am using prestashop 1.5.2, the most recent version. I have done as you suggested. many thanks, i will revert on the outcome

[Dh42]

Are you running on a vps or dedicated machine by any chance also? If so you can use the logs to determine when and how the attacks took place.

[kingdompaul]

this is google message:

 

Malicious software is hosted on 5 domain(s), including krrvxgw.dynamic-dns.net/, wfewthg.ns01.info/, vfxmix.proxydns.com/.

This site was hosted on 2 network(s) including AS26496 (PAH), AS15169 (Google Internet Backbone).

[jberezhnoy]

Hi kingdompaul,

 

if you changed all your passwords (MySQL,prestashop password and admin panel address ftp, webhosting etc) and set proper permissions to all files/folders, but the malware is still alive, then most probably somebody has backdoored your website (i.e. there is a malicious file in one of your folders). In addition, check your .htaccess file - the bad guys could easily have added another user(s) and password(s) to have access.

 

It would be good to contact your hosting provider and ask for their help (they can check the log files, permissions etc). If you use shared hosting It's possible that you suffer from the security holes from other website

Edited November 27, 2012 by jberezhnoy (see edit history)

[kingdompaul]

Thank you all,

 

The problem has been resolved now.

 

I changed all passwords sql, admin panel and deleted ftps.

 

I appreciate all your support, you guys are great.

[vekia]

thanks for the information @kingdompaul

 

i marked this topic as solved